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Most  articles  about  the  US 
information 
superhighway  have 
concentrated  on  the  need 
for  better  physical 
security,  while  at  the 
same  time  identifying 
many  of  its  cyber-related 
vulnerabilities . 
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The  reality  is  that  the  vulnerabil¬ 
ity  of  the  Department  of 
Defense — and  of  the  nation — to 
offensive  information  warfare 
attack  is  largely  a  self-created 
problem.  Program  by  program, 
economic  sector  by  economic  sec¬ 
tor,  we  have  based  critical 
functions  on  inadequately  pro¬ 
tected  telecomputing  services.  In 
the  aggregate,  we  have  created  a 
target-rich  environment,  and  US 
industry  has  sold  globally  much 
of  the  generic  technology  that  can 
be  used  to  strike  these  targets. 

—  Report  of  the  Defense  Science 
Board  Task  Force  on  Information 
Warfare-Defense  (IW-D), 
November  1996 

Most  articles  about  the  US  informa¬ 
tion  superhighway  have 
concentrated  on  the  need  for  bet¬ 
ter  physical  security,  while  at  the 
same  time  identifying  many  of  its 
cyber-related  vulnerabilities.  Few 
address  what  possibly  is  the  most 
vulnerable  element — the  human 
operators — and  the  inability  of 
those  operators  from  the  policy 
level  down  to  practice  good  opera¬ 
tions  security  (OPSEC). 

In  a  4  June  1998  Guardian  Online 
article  by  Duncan  Campbell,  enti¬ 
tled  “Hiding  from  the  Spies  in  the 
Skies,”  he  states,  “The  Internet  has 
made  tracking  and  evading  spy  sat¬ 
ellites  child’s  play....  Data  and 
programs  downloaded  from  the  Net 
enable  anyone  to  track  the  satel¬ 
lites  and  work  out  when  the  spies 
in  the  sky  are  overhead.”  Campbell 
also  provides  instructions  on  how 


to  visually  acquire  satellites  with 
the  naked  eye  and  even  lists  six 
Internet  Uniform  Resource  Locator 
addresses  where  one  can  find  pro¬ 
grams  and  information  on  the 
location  of  the  “spies  in  the  skies.” 
He  refers  to  several  Internet  sites  in 
his  article  that  offer  the  capabilities 
to  track  the  locations,  routes,  and 
times  certain  satellites  will  pass 
over  specific  locations. 

India’s  Nuclear  Tests 

In  May  1998,  India  conducted  a 
series  of  underground  nuclear  tests 
that,  according  to  the  press,  the 
Clinton  Administration  learned 
about  when  India  publicly 
announced  the  tests.  This  prompted 
widespread  speculation  about  how 
multibillion-dollar  US  [Surveillance 
and  reconnaissance  assets  could 
have  missed  the  critical  clues  that 
revealed  the  impending  tests.  India 
readily  admitted  that  it  knew  how 
to  deceive  the  United  States.  It  ref¬ 
erenced  information  the  United 
States  had  shown  it  in  the  past  and 
also  downloaded  tools  freely  avail¬ 
able  from  the  Internet.  In  an 
Associated  Press  article  of  15  May 
1998,  Indian  nuclear  researcher  G. 
Balachandran  stated,  “It’s  not  a  fail¬ 
ure  of  the  CIA.  It’s  a  matter  of  their 
intelligence  being  good,  our  decep¬ 
tion  being  better.” 

An  action  that  further  assisted  the 
Indians  in  their  deception  cam¬ 
paign  was  the  “sharing”  of 
intelligence  and  overhead  imagery 
by  the  United  States.  In  an  effort  to 
thwart  a  nuclear  test  in  December 
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Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 
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1995  and  January  1996,  the  United 
States  had  shared  this  information 
with  the  Indians  to  convey  the  mes¬ 
sage  that  “We  know  what  you  are 
doing  and  do  not  approve.”  Dem¬ 
onstrating  the  US  capability  to  track 
India’s  actions,  and  the  fact  that  the 
United  States  was  tracking  their 
actions,  directly  informed  the  Indi¬ 
ans  that  they  needed  to  develop  a 
superb  OPSEC  and  deception 
campaign. 

The  commission  that  was  formed  to 
evaluate  why  the  intelligence  com¬ 
munity  (IC)  failed  to  predict  the 
Indian  nuclear  tests  concluded  that 
the  IC  needs  a  good  overhaul.  It 
directed  little  attention,  however,  to 
India’s  successful  deception  effort 
or  to  development  of  an  informa¬ 
tion  operation  (IO)  perception 
management  campaign.  Instead,  it 
recommended  reviews  of  policies, 
changes  in  leadership  and  manage¬ 
ment  philosophies,  and 
organizational  structures.  The  com¬ 
mission’s  recommendations 
address,  in  a  generic  manner,  the 
symptoms  of  the  problems,  not  the 
causes: 

The  organization  needs  to  be 
scrubbed,  and  I  am  talking  about 
the  IC  organization,  not  necessar¬ 
ily  the  CIA,  to  improve  the  clarity 
of  the  structure,  to  fix  responsibil¬ 
ities,  to  resource  the  staff  with 
appropriate  tools,  and  to  inform 
the  organization  once  that  review 
has  taken  place. 

No  mention  was  made  of  improv¬ 
ing  education  or  training,  increasing 
manpower,  or  dedicating  more 
assets  to  those  who  need  it  most — 
the  workers.  Therefore,  the  imag¬ 
ery  analysts  will  continue  to  work 
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The  commission  that  was 
formed  to  evaluate  why 
the  intelligence 
community  failed  to 
predict  the  Indian 
nuclear  tests  concluded 
that  the  IC  needs  a  good 
overhaul. 
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under  a  new  and  improved  man¬ 
agement  and  supervisory  staff,  who 
will  tell  or  show  the  analysts  how 
to  do  a  better  job  with  the  avail¬ 
able  resources. 

OPSEC  requires  the  same  elements 
as  the  imagery  analysts  do: 
improved  education  and  training 
and  increased  billet  authorizations. 
OPSEC  requires  as  much  senior- 
level  support  as  do  the  other  ele¬ 
ments.  Furthermore,  all  elements  of 
IO  can  no  longer  be  common-sense 
based — they  are  not  integrally 
linked  to  each  other. 


Beating  the  System 

Katie  Hafner  and  John  Markoff,  in 
their  book  Cyperpunk:  Outlaws  and 
Hackers  on  the  Computer  Frontier, 
give  an  instructive  example  of  how 
easy  it  can  be  to  access  a  com¬ 
puter  system: 

While  in  Washington,  Susan  got 
the  chance  to  demonstrate  her 
“social  engineering  skills.  ”  As 
Susan  later  told  the  story,  a  team 
of. . .  colonels  and  generals  from 
three  service  branches  sat  at  a 
long  conference  table  with  a  com¬ 
puter  terminal,  a  modem,  and  a 
telephone.  When  Susan  entered 
the  room,  they  handed  her  a 


sealed  envelope  containing  the 
name  of  a  computer  system  and 
told  her  to  use  any  abilities  or 
resources  that  she  had  to  get  into 
that  system.  Without  missing  a 
beat,  she  logged  on  to  an  easily 
accessible  military  computer 
directory  to  find  out  where  the 
computer  system  was.  Once  she 
found  the  system  in  the  directory, 
she  could  see  what  operating  sys¬ 
tem  it  ran  and  the  name  of  the 
officer  in  charge  of  that  machine. 
Next,  she  called  the  base  and  put 
her  knowledge  of  military  termi¬ 
nology  to  work  to  find  out  who 
the  commanding  officer  was  at 
the  SCIF,  a  secret  compartmental¬ 
ized  information  facility.  “Oh, 
yes,  Major  Hastings.  ”  Casually, 
she  told  the  person  she  was  talk¬ 
ing  to  that  she  couldn  7  think  of 
Major  Hastings ’s  secretary ’s 
name.  “Oh,  ”  came  the  reply.  “You 
mean  Specialist  Buchanan.  ”  With 
that,  she  called  the  data  center 
and,  switching  from  nonchalant 
to  authoritative,  said,  “This  is  Spe¬ 
cialist  Buchanan  calling  on 
behalf  of  Major  Hastings.  He’s 
been  trying  to  access  his  account 
on  this  system  and  hasn't  been 
able  to  get  through,  and  he'd  like 
to  know  why. "  When  the  data 
center  operator  balked  and 
started  reciting  from  the  proce¬ 
dures  manual,  her  temper  jlared 
and  her  voice  dropped  in  pitch. 
“Okay,  look,  I’m  not  going  to 
screw  around  here.  What  is  your 
name,  rank,  and  serial  num¬ 
ber'"’  Within  20  minutes,  she  had 
what  she  later  claimed  was  classi¬ 
fied  data  on  the  screen  of  the 
computer  on  the  table.  A  colonel 
rose  from  his  seat,  said,  “That  will 
be  enough,  thank  you  very 
much, "  and  pulled  the  plug. 
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This  story  may  or  may  not  be  based 
on  a  true  incident,  but  similar  such 
incidents  occur  on  a  daily  basis 
around  the  world.  In  1997,  the  JCS 
mandated  the  conduct  of  the  first- 
ever  No-Notice  Interagency  Exer¬ 
cise  (NIEX)  based  on  an  IO 
scenario  as  part  of  the  ELIGIBLE 
RECEIVER  exercise  series.  Several 
other  Unified  Command  command¬ 
ers  have  also  ordered  that  similar 
IO-based  exercises  be  conducted 
within  the  confines  of  their 
command. 

These  IO-based  scenarios  are 
designed  to  test  the  Blue  Team’s 
ability  to  overcome  an  unknown 
adversary  who  will  be  attacking 
from  an  unknown  location  and  time 
against  a  large  variety  of  potential 
targets.  The  goals  of  these  exercises 
are  to  prepare  the  United  States  for 
any  type  of  IO  attack,  to  get  US  per¬ 
sonnel  “thinking  outside  the  box,” 
and  to  test  the  US  ability  to  thwart 
such  an  attack.  Thus  far,  the  Red 
Teams  for  these  IO-related  exer¬ 
cises  have  achieved  unprecedented 
victories  over  the  Blue  Teams. 

ELIGIBLE  RECEIVER  97-1,  as  well 
as  several  other  IO-based  exer¬ 
cises,  disclosed  several  human 
vulnerabilities  in  the  cyber  world, 
including  the  ease  with  which  Red 
Team  personnel  “socially  engi¬ 
neered”  Department  of  Defense 
(DoD)  personnel  and  the  vast 
amount  of  valuable  information  the 
Red  Team  was  able  to  collect  from 
the  Internet  on  a  daily  basis.  When 
participants  were  asked  who  was 
addressing  the  recommendations 
and  conclusions  from  after-action 
reports  for  past  IO-based  exercises, 
the  answer  was  always,  “That’s  a 
good  question.” 
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DoD  has  to  realize  that 
the  human  element,  not 
the  computer,  remains 
the  true  cornerstone  of 
information  warfare. 
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Approaches  to  the  Problem 

The  DoD  has  more  than  2.1  mil¬ 
lion  computers,  more  than  10,000 
Local  Area  Networks  (LANs),  and 
more  than  100  long-distance  net¬ 
works.  More  than  95  percent  of  this 
system  is  commercial,  commercial 
based,  or  leased  from  commercial 
sources  (phone  lines,  computer 
hardware  and  software,  and  ser¬ 
vice  contracts). 

The  DoD  is  taking  some  actions  to 
prevent  similar  exploitation  of  the 
US  critical  infrastructures,  but,  once 
again,  these  actions  are  mostly 
cyber-  and  computer-related.  Is  the 
popularity  of  IO-related  exercises 
merely  a  result  of  the  “newest  fad,” 
available  funding,  or  survival  tech¬ 
niques?  By  repeating  Red  Team 
victories  from  one  Unified  Com¬ 
mand  or  agency  to  another  without 
trying  to  fix  the  problem(s)  creates 
a  “self-licking  ice  cream  cone”  for 
the  IO  community,  that  is,  an 
ensured  mission  and  fund  site  for 
the  foreseeable  future. 

One  major  obstacle  some  DoD 
agencies  have  overcome,  however, 
is  the  propensity  to  create  a  “loop¬ 
hole”  so  the  Blue  Team  always 
wins.  This  fact  alone  demonstrates 
some  have  taken  a  paradigm  shift 
and  a  step  in  the  right  direction. 
But  one  more  paradigm  shift  is 
required.  DoD  has  to  realize  that 
the  human  element,  not  the  com¬ 
puter,  remains  the  true  cornerstone 
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of  information  warfare.  OPSEC  is 
not  a  dead  program!  It  is  also  not  a 
function  of  the  IC  but  'of  the  Opera¬ 
tions  Q-3)  Community. 

Presidential  Commission 

The  President’s  Commission  on 
Critical  Infrastructure  Protection 
(PCCIP),  established  in  1997  to 
evaluate  the  vulnerable  compo¬ 
nents  of  US  critical  infrastructures, 
published  its  findings  in  an  unclas¬ 
sified  report  titled  Critical 
Foundations:  Protecting  America’s 
Infrastructures.  It  identified  eight 
critical  components:  telecommuni¬ 
cations,  transportation,  banking/ 
finance,  electrical  power,  oil  and 
gas  production  and  storage,  water 
supply,  emergency  services,  and 
government  services.  The  report 
detailed  how  reliant  the  United 
States  is  on  those  systems  and  how 
vulnerable  the  systems  are  to  dis¬ 
ruption  or  destruction.  The  report 
does  not  identify  the  exact  location 
of  critical  nodes,  but  it  emphasizes 
the  vulnerabilities  associated  with 
the  identified  infrastructures.  It  fur¬ 
ther  implies  that  schematics,  which 
outline  the  specific  locations  and 
breakdowns  of  these  critical  nodes, 
are  available  either  for  free  or  for  a 
small  fee.  The  entire  PCCIP  report, 
as  well  as  subsequent  updates,  is 
available  on  the  World  Wide  Web. 

The  publication  of  the  PCCIP  report 
is  a  two-edged  sword.  It  offers  a 
wake-up  call  to  the  United  States 
about  many  of  the  possible  threats 
it  faces  on  a  daily  basis  and  actions 
that  need  to  be  taken'  to  avoid  such 
threats.  On  the  other  hand,  it  offers 
an  excellent  targeting  resource 
launching  pad:  if  someone  with 
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aggressive  intent,  either  for  war 
planning  or  terrorist  purposes,  were 
to  read,  study,  and  analyze  this 
document,  a  great  deal  would  be 
learned  about  a  potential  US  Achil¬ 
les’  heel. 

The  PCCIP  consolidated  all  the 
information,  statistics,  and  even  vul¬ 
nerabilities  for  anyone  who  wants 
to  read  about  them.  The  best 
counter-argument  would  be:  if  a 
bullet  has  your  name  on  it,  it  is 
going  to  get  you... but  you  do  not 
stick  your  head  out  of  the  foxhole 
to  see  if  you  can  read  the  names 
on  the  incoming  bullets!  The  same 
holds  true  with  the  PCCIP.  Even 
though  this  information  is  unclassi¬ 
fied  and  available  in  open-source 
documentation,  one  need  not 
search  far — the  PCCIP  has  pack¬ 
aged  it  all  in  one  neat,  organized, 
and  searchable  document. 


Overpublication 

Numerous  articles,  studies,  and 
think-pieces  have  been  published 
detailing  the  need  to  protect  the 
infrastructure  from  “attack.”  By 
devoting  considerable  attention  to 
these  vulnerabilities,  US  authorities 
have  inadvertently  revealed  their 
overreliance  on  the  information 
superhighway  and  the  tremendous 
impact  any  degradation  would 
have.  The  rush  to  publish  such 
articles,  along  with  the  publication 
of  the  PCCIP,  are  a  boon  to  poten¬ 
tial  US  adversaries  who  are 
beginning  to  realize  the  signifi¬ 
cance  and  ease  of  executing  an 
Information  Warfare  (IW)  cam¬ 
paign.  Both  China  and  Russia  offer 
schools  whose  sole  concentration 
of  study  is  IW. 
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The  Web  already  contains 
sensitive  information 
about  US  military 
personnel,  units, 
capabilities,  and 
functions,  which  can  be 
accessed  anonymously 
from  anywhere  in  the 
world. 
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The  tendency  to  fall  into  the  pub- 
lish-or-perish  mode  is  not  the 
exclusive  preserve  of  the  academic 
community.  It  appears  to  be  just  as 
relevant  to  the  DoD,  contractor, 
and  other  DoD-related  industries. 
With  this  in  mind,  the  United  States 
needs  to  rethink  and  readdress 
what  constitutes  publication  and 
what  truly  needs  to  be  proliferated 
on  the  World  Wide  Web.  The  Web 
already  contains  sensitive  informa¬ 
tion  about  US  military  personnel, 
units,  capabilities,  and  functions, 
which  can  be  accessed  anony¬ 
mously  from  anywhere  in  the 
world.  From  the  PCCIP  to  Joint 
Doctrine,  the  United  States  itself  is 
peeling  back  its  layers  of  protec¬ 
tion  of  the  US  critical 
infrastructures. 


OPSEC  in  the  Corporate  World: 
Ellery  Systems 

With  the  arrival  of  the  information 
age,  the  civilian  sector  has  become 
vulnerable  in  new  ways  to  eco¬ 
nomic  and  corporate  espionage. 
The  computer  allows  more  data  to 
be  “stolen,”  and  the  digitization  of 
data  also  allows  this  data  to  be  in 
more  than  one  place  at  the  same 
time.  Individuals  can  steal  informa¬ 
tion,  and  the  victim  will  not  know 


about  the  theft  until  it  is  too  late. 
Consequently,  OPSEC  is  becoming 
more  of  a  priority  in  the  private 
sector. 

The  experience  of  Ellery  Systems, 
Inc.,  provides  a  good  vulnerability 
case  study.  Ellery  Systems  was  a 
leading  information  systems/soft- 
ware  products/engineering  services 
company  based  in  Boulder,  Colo¬ 
rado.  Leading  corporations, 
government  agencies,  and  universi¬ 
ties  worldwide  used  its  software 
and  services  to  provide  practical 
information  systems  solutions  for 
scientific,  educational,  medical, 
manufacturing,  aerospace,  defense, 
and  financial  applications.  In  a  case 
spanning  1989-1995,  Ellery  lost 
everything  with  a  few  keystrokes. 

Ellery’s  principal  customer  was  the 
National  Aeronautics  and  Space 
Administration  (NASA),  for  which 
Ellery  was  developing  a  system  to 
transfer  Astrophysics  Data  Systems 
over  the  Internet.  At  the  time,  it 
was  the  largest  data  system  ever  to 
be  deployed  across  the  Internet, 
and  Ellery  owned  rights  and  source 
code  for  the  program  that  allowed 
the  compression  of  data  and  its 
transmission. 

Ellery  devoted  years  of  research, 
some  of  which  was  financed  by  the 
DoD,  and  millions  of  dollars  to 
develop  a  communications  soft¬ 
ware  program.  Ellery  was  also 
contributing  advanced  software 
technology  and  applications,  runt¬ 
ime  licenses,  systems  engineering, 
quality  assurance  and  manage¬ 
ment,  and  operations  support  to 
the  National  Information  Infrastruc¬ 
ture  Testbed  (NUT),  an  industry-led 
consortium  formed  to  help 
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stimulate  business  and  enhance 
American  competitiveness  by  turn¬ 
ing  the  vision  of  a  national 
information  highway  into  reality. 
NUT  provided  a  nationwide,  high- 
performance  testbed  environment 
for  implementing  a  series  of  real- 
world  applications.  The  members 
wanted  to  evaluate  both  the  every¬ 
day  and  technical  issues  associated 
with  the  maintenance  and  opera¬ 
tion  of  a  national  information 
infrastructure.  J  J 

Ellery  shared  membership  in  NIIT 
with  some  well-known  and  well- 
established  institutions,  including 
AT&T;  the  College  of  Oceanic  and 
Atmospheric  Sciences;  Oregon  State 
University;  Department  of  Energy/ 
Sandia  National  Laboratories;  Digi¬ 
tal  Equipment  Corporation;  the 
EUV  Center  for  Astrophysics;  Uni¬ 
versity  of  California-Berkeley; 
Essential  Communications;  Hewlett- 
Packard;  Institute  for  the  Study  of 
the  Earth,  Oceans,  and  Space,  Uni¬ 
versity  of  New  Hampshire;  Network 
Systems  Corporation;  Novell,  Inc.; 
Ohio  State  University;  Smithsonian 
Astrophysical  Observatory;  Sprint; 
Sun  Micro  Systems;  and  Syn  Optics 
Communications. 


Chinese  Connections 

In  the  spring  of  1989,  Andrew 
Wang  and  Jing  Cui  legally  entered 
the  United  States  from  China  to 
work  for  a  corporation  known  as 
Unidata,  in  Denver,  Colorado.  In 
December  1990,  Ellery  Systems 
hired  Wang.  For  the  next  year  and 
a  half,  Wang  worked  long  hours 
and  performed  in  a  superior  man¬ 
ner.  Most  important,  he  gained  the 
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trust,  admiration,  and  friendship  of 
the  other  employees.  He  fit  right  in. 

During  this  time,  a  Chinese  busi¬ 
ness  official  showed  up  at  Ellery 
interested  in  its  technological 
advances.  The  Chinese  official 
explained  he  wanted  to  improve 
China’s  ability  to  teach  its  children 
in  foster  homes,  daycare  centers, 
and  schools.  Ellery  Systems  person¬ 
nel  were  attracted  by  the  charitable 
nature  of  the  inquiry,  and  they 
were  excited  to  meet  a  foreigner 
who  spoke  their  jargon.  They  told 
and  showed  the  Chinese  official 
anything  he  wanted. 

In  the  summer  of  1993,  Wang 
obtained  a  printout  of  the  Ellery 
source  Data/Code.  He  approached 
Cui,  who  still  worked  for  Unidata, 
and  proposed  that  they  start  up  a 
new  computer  company  together, 
DC  Nology.  To  help  them  get  off  to 
a  good  start,  Wang  explained  the 
technological  advances  Ellery  had 
made  and  was  developing. 

In  late  1993,  Wang  contacted  Fu 
Xiangqun,  a  trade  official  in  China, 
and  explained  the  opportunity 
available  for  them  at  Ellery’s 
expense.  Fu  Xiangqun  found  a 
party  interested  in  the  opportunity 
and  contacted  Wang  immediately. 
Wang  approached  the  company’s 
president,  and  he  explained  that  his 
mother  was  sick  in  China  and  that 
he  would  like  to  visit  her.  The  pres¬ 
ident,  who  later  admitted  to  his 
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ignorance  and  naivete  in  the  whole 
matter,! said  Ellery  almost  paid  for 
Wang's]  plane  ticket. 

In  January  1994,  Wang  flew  to 
China  and  moved  around  trying  to 
sell  hisj  wares  to  the  highest  bid¬ 
der.  He  signed  a  $550,000  business 
deal  with  Beijing  Machinery  Import 
and  Export,  a  company  run  by  the 
Ministry  of  Defense. 

On  31  January  1994,  Wang  returned 
to  Ellery  and  gave  notice  he  was 
going  to  leave  the  company  within 
two  weeks.  On  1  February  1994, 
Wang  electronically  transferred  122 
computer  files  from  Ellery  Systems 
to  Unidata  in  Denver'  These  files 
contained  2.5  megabytes  of  Ellery’s 
sourcefcoded  files.  Ellery  did  not 
discover  the  missing  files  until  10 
February.  At  that  time,  the  firm’s 
president  immediately  contacted 
the  FBI  and  Colorado’s  Attorney 
General  to  investigate  the  “theft.” 
After  explaining  to  the  president 
that  virtually  no  laws  pertained  to 
the  case,  both  the  FBI  and  the 
state’s  [Attorney  General  worked  to 
help  Ellery  successfully  prosecute 
this  case.  Realizing  the  precedent 
this  case  was  setting  and  that  they 
were  entering  new  legal  territory, 
they  pushed  hard  on  the  case  to 
help  all  the  other  small  businesses 
that  might  also  be  victimized. 


Enter 


the  FBI 


As  FBI  officials  began  their  investi¬ 
gation!  they  briefed  Ellery’s 
president  on  the  facts  as  they  dis¬ 
covered  them,  including  how  this 
“attach”  fit  the  profile  of  Chinese 
intelligence  operations,  They  then 
informed  him  of  Wang’s  travels 
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around  China  and  the  contents  of 
the  letter  Wang  wrote  to  the  Chair¬ 
man  of  Beijing  Machinery,  in  which 
he  described  advanced  computing 
technology.  In  this  letter,  Wang 
stated:  “The  common  practices  of 
the  Americans  should  be  used  to 
defeat  them  in  their  own  competi¬ 
tion.”  The  president  elected  to 
pursue  the  case  in  court  and  break 
precedent  with  other  companies 
that  had  not,  until  this  point,  even 
tried  to  prove  their  products  had 
been  “electronically”  stolen. 

Most  companies  that  are  victims  of 
this  sort  of  theft  never  tell  anyone 
because  they  do  not  want  to  lose 
customers.  Yet  at  that  time,  25  per¬ 
cent  of  the  US  GNP  came  from 
information  technology  companies, 
an  industry  in  which  Ellery  was 
rapidly  growing. 

The  FBI  arrested  Wang  on  24  Feb¬ 
ruary  1994  and  searched  Unidata. 
They  had  no  problem  finding 
Ellery’s  files  on  the  Unidata  com¬ 
puter,  and,  on  5  April  1994,  both 
Wang  and  Cui  were  indicted  on 
charges  of  wire  and  computer 
fraud.  The  FBI  had  nothing  else  to 
charge  them  with  at  the  time.  The 
wire-fraud  charges  were  based  on  a 
law  enacted  in  the  early  1900s 
which  dealt  with  criminal  acts  over 
telegraph  and  telephone  lines. 
Because  the  Internet  was  experi¬ 
encing  problems  and  re-routed 
Wang’s  transmission  of  the  Data/ 
Code  signal  through  three  other 
states,  the  FBI  and  State  Attorney 
General’s  office  saw  this  as  their 
best  chance  to  prosecute.  Lawyers 
for  both  Wang  and  Cui  entered 
innocent  pleas. 
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On  15  April  1994,  a  US  judge,  cit¬ 
ing  national  security  concerns, 
blocked  the  $550,000  business  deal 
between  Wang  and  Beijing  Machin¬ 
ery.  He  also  ruled  that  Wang  had  to 
remain  under  house  arrest  until  the 
trial.  On  6  December  1995,  how¬ 
ever,  the  criminal  charges  against 
Wang  and  Cui  were  dropped  due 
to  insufficient  evidence. 


A  Painful  Lesson 

Ellery’s  key  mistake  was  to  trust 
completely  all  new  employees  it 
hired.  Since  this  case,  the  enact¬ 
ment  of  the  Economic  Espionage 
Act  of  1996  has  helped  protect  US 
trade  secrets.  Ellery  downsized, 
declared  bankruptcy,  and  eventu¬ 
ally  evolved  into  a  new 
organization — Global  Commerce 
Systems,  Inc. — with  Ellery’s  former 
president  in  charge.  He  openly  dis¬ 
cusses  the  lessons  that  he  and  his 
fellow  owners  learned  from  this 
incident,  and  he  continues  to  work 
closely  with  the  OPSEC  community 
and  the  National  Counterintelli¬ 
gence  Center. 


Testing  Security 

The  computer  security  threat  has 
gained  the  most  attention  of  late 
with  Red  Teams  as  well  as  security 


consultants  such  as  Ira  Winkler  for 
hire,  Corporations,  both  large  and 
small,  hire  Winkler  and  his  staff  to 
infiltrate  their  organization  and  steal 
whatever  they  can  to  test  the  cor¬ 
poration’s  security  procedures  and 
practices.  Many  of  his  success  sto¬ 
ries  are  documented  in  his  book 
Corporate  Espionage,  and  he  also 
speaks  of  several  others  when  giv¬ 
ing  presentations.  Today,  the  aspect 
of  “Red  Teaming  a  corporation” 
which  is  most  widely  written  about 
is  computer  hacking.  Many  articles 
have  been  written  about  the  differ¬ 
ent  corporations  and  small 
businesses  that  make  a  hefty  profit 
by  hiring  out  their  hacking  services 
to  test  organizations.  Winkler,  how¬ 
ever,  stresses  that  the  hacking  part 
of  his  probes  is  only  one  small 
element. 


OPSEC 

In  the  armed  services,  initial  OPSEC 
training  at  most  units  is  lumped 
into  the  first  month  or  so  after  the 
individuals  have  arrived  on  station, 
if  the  training  is  offered  at  all.  It  is 
either  conducted  during  a  long, 
drawn-out  mass  briefing  process 
that  only  occurs  once  a  quarter  or 
once  a  year,  depending  on  how 
many  people  rotate  in  and  out  of 
the  unit,  or  it  is  contained  in  a 
binder  the  individual  has  to  read  on 
his  own.  The  second  alternative  is 
more  prevalent,  because  it  is  easier 
to  circulate  a  binder  than  conduct  a 
briefing.  Given  the  current  atti¬ 
tudes  toward  OPSEC,  most  people 
just  sign  documentation  that  they 
received  initial  or  periodic  required 
OPSEC  training.  In  this  fashion, 
they  have  satisfied  the  OPSEC  rep¬ 
resentative’s  requirement  to  pass 
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the  next  Inspector  General  inspec¬ 
tion.  This  approach,  unfortunately, 
leaves  much  to  be  desired  in  the 
training  department,  and  it  is 
reflected  on  a  daily  basis  by  poor 
OPSEC  practices. 

The  level  of  interest  personnel  have 
in  the  OPSEC  program  is  directly 
proportional  to  the  attitude  of  not 
only  the  OPSEC  representative,  but 
also  the  content  and  style  of  his 
training  program.  Furthermore,  the 
chain  of  command  has  to  support 
enthusiastically  and  openly  both 
the  training  program  and  the  con¬ 
tinued  practice  of  sound  OPSEC 
measures.  A  motivated  and  dedi¬ 
cated  OPSEC  representative, 
together  with  public  support  from 
the  chain  of  command,  can  orga¬ 
nize  a  dynamic  and  interactive 
training  program  that  will  entertain 
and  educate. 

Several  different  organizations,  both 
civilian  and  DoD  associated,  offer  a 
vast  amount  of  information  to  assist 
any  unit’s  OPSEC  representative. 
These  organizations  offer  free  train¬ 
ing  programs,  both  hardcopy  and 
computer-based  training,  and  daily, 
monthly,  quarterly,  or  annual  news¬ 
letters,  conference  reports,  and 
other  OPSEC-related  educational 
material.  Getting  the  word  out  to 
those  who  need  it  most  and  the  de¬ 
institutionalizing  of  the  OPSEC 
community  as  a  whole  seem  to  be 
among  the  problems  facing  the 
DoD  today. 

The  Interagency  OPSEC  Support 
Staff  (IOSS)  is  charged  by  the 
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National  Security  Decision  Direc¬ 
tive  on  OPSEC  298  (NSDD  298)  to: 

. .  .provide  or facilitate  OPSEC 
training,  and  act  as  a  consul¬ 
tancy  to  Executive  Departments 
and  Agencies  required  to  have 
formal  OPSEC  programs.  The 
IOSS  offers  expertise  in  different 
disciplines  and  skills  through  its 
diverse  membership  which  cur¬ 
rently  consists  of  representatives 
from  the  DoE,  CIA,  NSA,  GSA, 

FBI,  and  DoD. 

IOSS  celebrated  its  10-year  anniver¬ 
sary  in  1998,  yet  word  of  its 
existence  and  services  has  still  not 
spread  to  the  community  as 
required. 


Continuing  Importance 

A  successful  OPSEC  program  paral¬ 
lels  a  successful  intelligence 
organization  in  that  one  never 
hears  about  the  success  stories, 
only  the  failures:  Kudos  should  go 
to  several  commands  within  DoD 
that  have  begun  filtering  the  infor¬ 
mation  they  post.  Unfortunately, 
once  something  is  inadvertently 
posted  it  should  be  considered 
compromised.  The  Scott  O’Grady 
rescue  e-mail  is  a  perfect  example 
of  how,  once  something  is  exposed 
to  the  Internet,  it  takes  on  a  life  of 


its  own.  Many  people  have  tried 
unsuccessfully  to  eradicate  the 
e-mail  from  the  Web. 


As  the  (Federal  Government  contin¬ 
ues  to  publish  articles  and  direct 
unprecedented  attention  to  cyber 
threats  while  seemingly  ignoring 
traditional  human-related  vulnera¬ 
bilities]  it  is  setting  itself  up  for  a 
potential  future  catastrophe.  Even 
though  our  official  world  becomes 
more  and  more  information-based 
with  each  passing  day,  it  cannot 
and  should  not  leave  traditional 
programs  such  as  OPSEC  to  each 
individual’s  common, sense.  The 
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threat  of  individuals  stealing  criti¬ 
cal  information  via  computers 
remains  real.  On  a  daily  basis,  how¬ 
ever,  personnel  in  DoD  and  in  the 


rest  of| 
likely, 


the  IC  freely,  and,  more  than 
inadvertently,  give  more 


information  away  via  the  computer 
(e-mail  and  web  pages),  phone, 
fax,  garbage,  or  any  other  number 
of  methods. 


The  value  of  this  information,  freely 
and  innocently  published,  distrib¬ 
uted,  and  discarded  remains 
underestimated  and  addressed  pri- 


mari 


ily|  by 


OPSEC  and  OPSEC- 


related  professionals'  To  help  off¬ 
set  these  human-related 
vulnerabilities,  senior-level  support 
and  funding  need  to  be  made  avail¬ 
able  to  help  move  OPSEC  into  the 
role  of  everyday  applicability.  This 
funding  and  support  should  go 
toward  the  training,  education,  and 
practices  of  the  other  elements  of 
IO,  particularly  OPSEC,  besides  just 
those  Jdealing  with  the  cyber-threat. 
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